Role in IT decision-making process:Align Business & IT GoalsCreate IT StrategyDetermine IT NeedsManage Vendor RelationshipsEvaluate/Specify Brands or VendorsOther RoleAuthorize PurchasesNot Involved

Work Phone:

Company:

Company Size:

Industry:

Street Address

City:

Zip/postal code

State/Province:

Country:

Occasionally, we send subscribers special offers from select partners. Would you like to receive these special partner offers via e-mail?YesNo

Your registration with Eweek will include the following free email newsletter(s):News & Views

By submitting your wireless number, you agree that eWEEK, its related properties, and vendor partners providing content you view may contact you using contact center technology. Your consent is not required to view content or use site features.

By clicking on the "Register" button below, I agree that I have carefully read the Terms of Service and the Privacy Policy and I agree to be legally bound by all such terms.

Vulnerabilities Fade from the Threat Foreground

Systems still get exploited through vulnerabilities, but it's a declining factor and there isn't a good reason for it anymore. If you use up-to-date products and take reasonable precautions, your chances of getting hit are small and decreasing.

WEBINAR:On-Demand

The reports of Microsoft's "out of band" patch last week of a critical vulnerability in Windows all took note of how unusual it was. Out-of-band updates are unusual-the last one was MS07-017 on April 3, 2007-because Microsoft has gotten on top of the vulnerability problem better than anyone. In fact, I'd say the game is over. They win.

Of course, this doesn't mean that Windows users are all safe now and you can stop worrying about vulnerabilities. What it does mean is that if you use current versions of their products, are diligent about applying updates soon after they come out, have reasonably good and updated security software, and maybe do some reasonable education of users over what they can and can't do with computers, your chances of getting exploited by a vulnerability in a Microsoft product are pretty small. They have been getting smaller over time.

Part of the reason for this is explained in Microsoft's Jeff Jones's most recent report on desktop vulnerabilities. It's clear that things are way better than they were a few years ago. Jones' data shows that Microsoft has fewer and less severe vulnerabilities in its products, and that it patches them faster. And the most recent versions of Microsoft's products, the ones developed with the SDL (Security Development Lifecycle), are the least vulnerable of all, especially Office.

For years I've seen this trend and figured that it should translate into a pattern in the exploitation of vulnerabilities: The older and less-urgently patched a platform is, the more likely it is to be exploited. The newer and more urgently patched a system is, the less it would be exploited. Sure enough, this pattern is borne out in Microsoft's latest SIR (Security Intelligence Report), covering the first half of 2008. Microsoft's data comes from its own telemetry via Windows Update, the Malicious Software Removal Tool, ForeFront products and so on, so it's a huge sample, especially via the MSRT that runs on all systems that run Windows Update.

Further reading

Consider Figure 80 in the report on Page 133, which shows the vulnerabilities behind the top browser-based exploits they collected. Browser exploits are probably the lion's share of vulnerability exploits today. Essentially all of the exploits of Windows vulnerabilities are targeting older, unpatched platforms.

This was a very big deal when it came out, shortly after Vista was released, but one of the facts that quickly became apparent was that if Vista were exploited it would have to be through Internet Explorer 7 in Protected Mode (unless the user turned that off), and therefore the attack could not be persistent. As a practical matter, according to Microsoft, none of the existing attacks affects IE7 in Protected Mode.

The whole current MS08-067 Server vulnerability episode reinforces all of this for me. An update this past Friday night from the Microsoft Security Response Center repeats what I have heard, that people are patching furiously. It also notes that there is exploit code and a functioning attack. A hacker blog on 0x000000.com (love that domain name) says they have found the exploit victim list for the worm and provide the complete list, including the User-Agent strings for all of them. A Securiteam blog says, based on the IP addresses in the list, that the users are "... mainly in Australia, China, Philippines, India, Japan, Korea, Malta, Malaysia, Taiwan, and Vietnam."

I searched the list of over 4,500 User-Agents and found seven hits for Vista systems (those with "Windows NT 6.0" in the User Agent string). Four of those are clearly test probes, and the systems were not actually infected. The other three are for a single IP address and apparently the same host, on a dial-up account with a U.S. West Cast ISP. Sounds like a test system to me. In other words, no actual Vista users were harmed in the exploitation of this vulnerability. This isn't surprising, since the vulnerability is much harder to exploit under Vista than XP, but it's also the point: Vista users are safer because they use Vista.

Advertiser Disclosure:
Some of the products that appear on this site are from companies from which QuinStreet receives compensation. This compensation may impact how and where products appear on this site including, for example, the order in which they appear. QuinStreet does not include all companies or all types of products available in the marketplace.